b'                       U.S. Environmental Protection Agency \t                                                08-P-0273\n                                                                                                     September 23, 2008\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                             Catalyst for Improving the Environment\n\n\nWhy We Did This Review           Management of EPA Headquarters Internet\nThe Office of Inspector          Protocol Addresses Needs Improvement\nGeneral contracted with\nWilliams, Adley & Company,        What Williams, Adley & Company, LLP Found\nLLP to conduct the annual\naudit of the U.S. Environ-       Processes used to assign and track IP addresses within EPA Headquarters in\nmental Protection Agency\xe2\x80\x99s       Washington, DC, need strengthening to enforce accountability. Information\n(EPA\xe2\x80\x99s) compliance with the      provided by EPA representatives to support vulnerability testing of the\nFederal Information Security     Headquarters\xe2\x80\x99 network revealed that Agency personnel were not aware of the IP\nManagement Act. Williams,        addresses assigned to them. This occurred because EPA needs a:\nAdley & Company, LLP                 \xe2\x80\xa2\t Process to track the assignment of IP addresses\nconducted network\n                                     \xe2\x80\xa2\t Method to identify all active and assigned IP addresses\nvulnerability testing of the\nAgency\xe2\x80\x99s local area network      Vulnerability testing of the EPA Headquarters network identified 391 IP\nlocated at the EPA\xe2\x80\x99s Head-       addresses with high-risk and/or medium-risk vulnerabilities. Although EDSD\nquarters in Washington, DC.      personnel conducted research to identify the Program Offices responsible for the\n                                 IP addresses, EDSD could not identify the offices responsible for 273 of the IP\nBackground                       addresses. As a result, 18 high-risk vulnerabilities exist where the responsible\n                                 EPA offices could not be contacted to remediate the risks. Furthermore, without a\nThe National Computer            full accounting of assigned IP addresses, EPA cannot be assured that its patch\nCenter (NCC), located in         management or incident response processes are effective.\nResearch Triangle Park,\nNorth Carolina, is responsible    What Williams, Adley & Company, LLP Recommends\nfor managing the assignment\nof Internet Protocol (IP)        Williams, Adley & Company, LLP recommends that EPA:\naddresses within EPA. The\nEnterprise Desktop Solutions      \xe2\x80\xa2\t Take immediate action to address all identified network security weaknesses\nDivision (EDSD) is                   and start risk mitigation actions to reduce the risks from the remaining\nresponsible for the network          18 unidentified IP addresses.\ninfrastructure required to        \xe2\x80\xa2\t Develop and implement procedures to document and keep current a complete\nsupport end user                     inventory of all IP addresses assigned to EPA Headquarters.\nrequirements.                     \xe2\x80\xa2\t Develop and implement a revised IP address allocation scheme to assign \n\n                                     entire IP address blocks to Program Offices to eliminate fragmentation and \n\n                                     improve security administration. \n\n                                  \xe2\x80\xa2\t Implement a process that augments the current vulnerability testing process\nFor further information,\n                                     used to identify active Headquarters IP address with the use of other network\ncontact our Office of                monitoring tools.\nCongressional and Public          \xe2\x80\xa2\t Develop Plans of Actions and Milestones for each recommendation.\nLiaison at (202) 566-2391.\n                                  Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the full report is not\n                                  available to the public.\n\x0c'